Bug 185799 - Review Request: nessus-plugins-GPL
Review Request: nessus-plugins-GPL
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Mahowald
Fedora Package Reviews List
:
Depends On:
Blocks: FE-DEADREVIEW
  Show dependency treegraph
 
Reported: 2006-03-18 06:32 EST by Andreas Bierfert
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-18 05:19:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Andreas Bierfert 2006-03-18 06:32:14 EST
Spec Name or Url: http://fedora.lowlatency.de/review/nessus-plugins-GPL.spec
SRPM Name or Url: http://fedora.lowlatency.de/review/nessus-plugins-GPL-2.2.6-1.src.rpm
Description:
Nessus is a free, up-to-date and full featured remote security scanner.
It makes possible to test security modules in an attempt to find vulnerable
spots that should be fixed.

It is made up of two parts: a server, and a client. The server/daemon,
nessusd, is in charge of the attacks, whereas the client, nessus-client-gtk,
provides the user a nice X11/GTK+ interface.

This package contains Nessus plugins and scripts to build additional plugins.
Comment 1 John Mahowald 2006-04-06 20:12:54 EDT
rpmlint:
rpmlint of nessus-plugins-GPL-2.2.6-1.x86_64.rpm:W: nessus-plugins-GPL
no-version-in-last-changelog
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/hydra.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/objectserver.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/ssl_ciphers.nes 0555
E: nessus-plugins-GPL non-executable-script
/var/lib/nessus/plugins_factory/libtool 0444
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/ftp_write_dirs.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nmap_tcp_connect.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/snmp_portscan.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nmap_wrapper.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/find_service.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/smad.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/tftp_grab_file.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/synscan.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nessus_tcp_scanner.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/nikto_wrapper.nes 0555
E: nessus-plugins-GPL non-standard-executable-perm
/var/lib/nessus/plugins/linux_tftp.nes 0555

rpm was probably expecting 755 or so.

- package meets naming guidelines
- package meets packaging guidelines
- license (GPL (obviously :) and BSD) OK, text in %doc, matches source

However, though I'm not a lawyer, certain terms in the Tenable license seem too
restrictive, particularly in the Other Restrictions clause.
Which plugins are licensed under this?

- spec file legible, in am. english
- source matches upstream
- package compiles on devel (x86_64), works
- no missing BR
- no unnecessary BR
- no locales
- not relocatable
- owns all directories that it creates
- no duplicate files
- permissions ok
- %clean ok
- macro use consistent
- code, not content
- no need for -docs
- nothing in %doc affects runtime
- no need for .desktop file
Comment 2 Andreas Bierfert 2006-04-07 03:18:57 EDT
to be honest: I don't know. I will see if I can find something out so...
Comment 3 John Mahowald 2006-04-11 20:05:36 EDT
The specific section in this license that I'm concerned about:

"You shall not, directly or indirectly:  (i) sell, lease, rent, license,
sublicense, distribute, redistribute or transfer any Plugins or
any of your rights under this Agreement; (ii) modify, translate,
reverse engineer (except to the limited extent permitted by law),
decompile, disassemble or create derivative works based on any
Plugins; (iii) use any Plugins other than in conjunction with
Registered Nessus or NeWT Scanners obtained directly from
www.nessus.org or www.tenablesecurity.com to detect
vulnerabilities on your own system or network or on the system or
network; or (iv) remove, alter or obscure any proprietary notice,
labels or marks on any Plugins."


A quick grep through the scripts shows 517 out of 1074 explicitly contain "GPL".
But many say no license at all.

If we knew what falls under this license in this package, if any, they could be
excluded but now I don't know.
Comment 4 John Mahowald 2006-05-15 00:38:22 EDT
Debian bug seems to make the most sense of this mess.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291658

You may want to ask the packager which are GPL.
Comment 5 Andreas Bierfert 2006-06-18 05:18:52 EDT
will move this to lvn ... package sould be good to go there =)
Comment 6 Dennis Gilmore 2006-06-18 10:50:40 EDT
Andreas  that is really not the right answer. The correct answer is to ask for 
legal  to review  and see what they say. 
Comment 7 Hans de Goede 2006-07-15 01:12:20 EDT
Removing from FE-REVIEW blocker list, since its no longer under review.

Comment 8 Jason Tibbitts 2006-10-14 18:16:02 EDT
Sorry for the spam; I'm trying to clear the FE-Legal blocker since this ticket
is no longer open, but instead I'm just a bonehead.

Note You need to log in before you can comment on or make changes to this bug.